Hacker News new | ask | show | jobs
by andrew1 5614 days ago
So they're not falling over themselves to fix a bug which no one has noticed for 10+ years, and which hardly anyone is going to hit in actual use. Maybe they're spending their time fixing problems which are actually affecting developers.
1 comments
mhansen 5614 days ago
Any public-facing Java server affected by this bug that accepts floating point numbers from the user as a string can be hung by this bug.

This is going to be a big problem.

link
stevie_wilks 5614 days ago
Excellent point. I'm going to have some tests to run when I get in to work this morning.
link
ashutoshmehra 5613 days ago
Yup. A comment on the original webpage reported that this value appears to hang/time-out Google Spreadsheet. I tested and it indeed was the case. So there are going to be lots of places one can fool around on the input side only to send the server thread into a loop. That's bad.
link
sigzero 5614 days ago
And yet...in 10+ years...it hasn't been a problem? Certainly the need to fix it but saying it is going to be a "big problem" is a bit theatrical.
link
steveklabnik 5614 days ago
Well, yeah. Nobody _accidentally_ hit upon this number, but now that it's a known way to commit a denial of service attack, people are going to take advantage of it.

Imagine your response, but about a kernel privilege escalation bug:

"And yet...in 10+ years...it hasn't been a problem? Certainly the need to fix it but saying it is going to be a "big problem" is a bit theatrical."

link
VMG 5614 days ago
I tried to dig up a list of websites with a java-backend but my google-fu is not strong enough. I don't think that there are actually many big sites running on java.
link
al05 5614 days ago
There are tons of sites running on java. Possibly more than php.
link
quomopete 5614 days ago
Yup - http://wiki.java.net/bin/view/Projects/RealWorldJSFLinks

Anecdotally, a lot of those [\w+]tube porn sites probably run on a Java server considering the heavy lifting that goes on there.

link
exec 5613 days ago
Most of internet banking systems in my country run on Java. And most of them can be affected if you know where to put this number.
link
Sandman 5613 days ago
Yes, but fortunately, there is not much reason why anybody would use double when developing a banking system.
link
yyyy 5612 days ago
They don't have to use it directly.

GET / HTTP/1.0

Accept-Language: en;q=2.2250738585072012e-308

If you're running Tomcat and you call getLocale() on that servlet request, you're toast.

link